Deny user in Apache 2.0

[Obi-Wan]

I'm running Apache 2.0.52 on RedHat Enterprise Linux 4. Authentication is done via samba/winbind to our Active Directory server, and is working fine. I'm currently restricting access to a particular directory to just a certain AD group with the following config:

<Location "/">
AllowOverride None
AuthType Basic
AuthName "Documentation"
AuthPAM_Enabled on
AuthPAM_FallThrough off
Require group "domain\group1"
Require group "domain\group2"
Require user "domain\someuser"
</Location>

Those two groups are rather large, and are used for many things on our network. However, for this web server, I want to be able to exclude one user from within group1. This user still needs access to all the other stuff on the network that uses group1 for access control, so I can't just remove him from the group. I also don't want to have to maintain two separate, but nearly equal, groups.

Does Apache have any way to deny access to a particular username, even if they've given valid credentials?

[jledhead]

since I believe order matters could you put the deny statement before you allow the group? haven't tried it but it might work.

[Obi-Wan]

The problem is that I don't know the syntax to reject based on a username. The standard "deny" command operates on hostnames & domains, not on users.

[jledhead]

I think your right

the only option I can see is require the group, and then right after that require the list of users. That way you don't have to affect your AD but limit just for apache. I can't really see any other way. You might want to sign up for the apache mailing list and ask there.